On Sep 5, 2008, at 9:30 AM, Marco Laponder wrote:
Thanks for you quick response David !
I am using BASIC auth so it is probably what you expect. Is there any
recommendation you could do to prevent it ? Or should I remember it
as a
http session variable ? I really don't want to do the complete
validate
on each request (especially because I am doing a lot of request with
AJAX)
BASIC really requires authentication on every request. I think you
might be able to write a "caching login module" that wraps your
existing login module and puts the principals (and credentials if any)
from your existing login module into a cache and if they exist and
haven't expired puts them into the Subject supplied for each login.
Hope this makes some sense :-)
thanks
david jencks
Kind regards,
Marco Laponder
-----Oorspronkelijk bericht-----
Van: David Jencks [mailto:[EMAIL PROTECTED]
Verzonden: vrijdag 5 september 2008 15:23
Aan: user@geronimo.apache.org
Onderwerp: Re: too many LoginModule requests ?
On Sep 5, 2008, at 9:00 AM, Marco Laponder wrote:
Hi All,
I have created a custom login module for the user authentication,
which
works ok (I can login as expected). I was surprised by the number of
calls to the login module. Even if I successfully logged in on a
previous request, a next request on the same context did again call
my
login module. Is this expected behaviour ? I would like to just login
once instead on each request. Am I doing something wrong in my custom
module or is this behaviour as expected ?
BASIC, DIGEST and client cert auth will authenticate on every
request. FORM auth ought to only authenticate once and cache the
result in the session. If you are using FORM auth, only see the login
page once, and still see logins for every request..... I'd like to
know about it and if possible see a stack trace. (At the moment my
experimental jetty7-jaspi branch does login on every request, even
with FORM auth, but I didn't think the published versions did).
thanks
david jencks
Kind regards,
Marco Laponder
-----Oorspronkelijk bericht-----
Van: David Jencks [mailto:[EMAIL PROTECTED]
Verzonden: woensdag 3 september 2008 19:07
Aan: user@geronimo.apache.org
Onderwerp: Re: retrieve custom principal from custom loginmodule in
servlet
On Sep 3, 2008, at 1:28 AM, Marco Laponder wrote:
Hi Everyone,
I am trying to build a custom login module where custom principals
are
added to the subject. The login works as expected and on the
commit I
add my specific principal object to the subject.
So far so good, but now I need to retrieve this object In my servlet
and
I was expecting to be able to retrieve it by
httpRequest.getUserPrincipal() but the principal returned is not an
instance of my custom principal. Can anyone given any tips how to
find
out what I am doing incorrect or is this situation not possible at
all ?
You don't say if your login configuration includes any other login
modules. Assuming that it does not....
The specs don't describe how to pick the "UserPrincipal" from the
possibly numerous principals in a logged-in Subject. Geronimo uses
this code snippet:
Set<? extends Principal> principals =
subject.getPrincipals(GeronimoCallerPrincipal.class);
if (!principals.isEmpty()) {
context.principal = principals.iterator().next();
} else if (!(principals =
subject.getPrincipals(PrimaryRealmPrincipal.class)).isEmpty()) {
context.principal = principals.iterator().next();
} else if (!(principals =
subject.getPrincipals(RealmPrincipal.class)).isEmpty()) {
context.principal = principals.iterator().next();
} else if (!(principals =
subject.getPrincipals()).isEmpty()) {
context.principal = principals.iterator().next();
}
So, the most reliable way to get your special principal returned as
the UserPrincipal is to have it implement the marker interface
GeronimoCallerPrincipal, and assure it is the only principal that
implements that interface.
Hope this helps
david jencks
Kind regards,
Marco Laponder
